European law enforcement agencies dismantled the privacy-focused service First VPN, which investigators say was widely used to conceal ransomware attacks, data theft, fraud, and other cybercrime. The operation was led by French and Dutch authorities with Europol support and coordinated action on May 19–20, resulting in the seizure of 33 servers across 27 countries, the takeover of multiple First VPN domains and related onion services, and enforcement activity in Ukraine, where authorities questioned a suspected administrator and searched a residence. Officials said the service was openly advertised on Russian-speaking cybercrime forums and marketed features such as anonymity, hidden infrastructure, anonymous payments, and refusal to cooperate with law enforcement.
Investigators said they had infiltrated First VPN’s infrastructure before the takedown, obtained the service’s user database, and collected traffic data that exposed thousands of users allegedly tied to cybercrime. Europol said the platform had surfaced in nearly every major cybercrime investigation it supported in recent years, and authorities have already shared information on 506 users and 83 intelligence packages to aid ongoing cases worldwide. Officials described the seizure as the removal of a key layer criminals relied on to hide identities, communications, and backend systems, while warning that follow-on investigations into ransomware, fraud, and related offenses are continuing.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
9 events from the most recent confirmed update back to the earliest known activity.
Europol said intelligence gathered from the dismantled First VPN service is being used to support 21 additional cybercrime investigations across multiple jurisdictions worldwide. The update showed the takedown had expanded into follow-on cases beyond the initial seizure and user identification efforts.
On 2026-05-21, the FBI released FLASH-20260521-001 detailing indicators of compromise, domains, communication accounts, current and historical IP addresses, and MITRE ATT&CK techniques associated with First VPN Service. The advisory said the service had been used by at least 25 ransomware groups and provided defensive recommendations following the international takedown.
Following the May 2026 takedown, investigators publicly identified 65 IP addresses associated with First VPN. The disclosure added new technical indicators tied to the criminal VPN service for partner agencies and defenders.
Authorities said they infiltrated First VPN's infrastructure, obtained its user database and traffic data, identified users, and shared information on 506 users plus 83 intelligence packages to support ongoing investigations worldwide.
During the May 19–20, 2026 international operation against First VPN, law enforcement arrested the service's administrator. This goes beyond the previously reported questioning of a suspect in Ukraine and marks a concrete enforcement action tied to the takedown.
As part of the May 19–20, 2026 operation, authorities in Ukraine conducted a house search and questioned a suspected administrator linked to First VPN.
During a coordinated action on May 19–20, 2026, law enforcement agencies dismantled First VPN, seized 33 servers across 27 countries, and took control of multiple domains and related onion services tied to the platform.
French and Dutch authorities expanded the case by forming a joint investigation team in November 2023, with Europol later supporting the operation through an operational taskforce.
Authorities began investigating the privacy-focused VPN service First VPN in December 2021 over its suspected use in ransomware, data theft, fraud, and other cybercrime activity.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
21 references tracked. Mallory keeps watching after this page renders.
cysecurity.news
Open sourcexakep.ru
Open sourcesecurityonline.info
Open sourceteiss.co.uk
Open sourcehelpnetsecurity.com
Open sourceoperation-saffron.eu
Open sourcetherecord.media
Open sourceic3.gov
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.